From mboxrd@z Thu Jan  1 00:00:00 1970
From: Nick Thompson <nick.thompson@ge.com>
Date: Wed, 14 Nov 2012 09:59:29 +0000
Subject: [U-Boot] Bug in netconsole?
Message-ID: <50A36B81.1090100@ge.com>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

I think there might be a bug in this commit:

http://git.denx.de/cgi-bin/gitweb.cgi?p=u-boot.git;a=commitdiff;h=2c8fe5120f8da013cbd789be2f10cce880972836

The commit makes "the netconsole buffer size configurable". It adds CONFIG_NETCONSOLE_BUFFER_SIZE and maintains the original 512 default value used to define the length of input_buffer[]. nc_input_packet uses sizeof this to read packet data into input_buffer[]. This appears fine.

The commit also adds to following in the output chain:

@@ -214,7 +218,7 @@ static void nc_puts(const char *s)
 
        len = strlen(s);
        while (len) {
-               int send_len = min(len, 512);
+               int send_len = min(len, sizeof(input_buffer));
                nc_send_packet(s, send_len);
                len -= send_len;
                s += send_len;

I can't see how this code relates to the sizeof input_buffer. The nc_puts data is written directly into NetTxPacket (plus header offsets) which is set to 1536 + alignment bytes long. If input_buffer is bigger than this, a buffer overflow will occur. Obviously the default value of 512 will not trigger the problem. The 512 magic number possibly ought to be derived from PKTSIZE_ALIGN (net.h), but I don't think sizeof(input_buffer) is appropriate here.

Regards,
Nick.